b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                  The Private Debt Collection Program Was\n                 Effectively Developed and Implemented, but\n                 Some Follow-up Actions Are Still Necessary\n\n\n\n                                          March 27, 2007\n\n                              Reference Number: 2007-30-066\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n Phone Number | 202-927-7037\n Email Address | Bonnie.Heald@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                           March 27, 2007\n\n\n MEMORANDUM FOR COMMISSIONER, SMALL BUSINESS/SELF-EMPLOYED\n                DIVISION\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 The Private Debt Collection Program Was\n                             Effectively Developed and Implemented, but Some Follow-up Actions\n                             Are Still Necessary (Audit # 200630022)\n\n This report presents the results of our review of the Internal Revenue Service\xe2\x80\x99s (IRS) Private\n Debt Collection program (Program). The overall objective of this review was to evaluate the\n effectiveness of the IRS\xe2\x80\x99 implementation of the Program.\n\n Impact on the Taxpayer\n To implement the Program, the IRS will use private collection agencies (hereafter referred to as\n PCAs or contractors) as an additional resource to help collect delinquent Federal taxes. In\n July 2004, the Department of the Treasury estimated the IRS will collect $1.4 billion through the\n Program over the next 10 years (Fiscal Years 2006-2015). Balance-due cases were first placed\n with three contractors on September 7, 2006. Overall, the IRS effectively developed and\n implemented several aspects of the Program, thus providing better assurance that taxpayer rights\n are protected and Federal tax information is secure. Specifically, contractor employees were\n adequately trained, background investigations were completed, telephone call monitoring and\n oversight procedures were established, and computer and physical security procedures were\n established before cases were assigned. However, the IRS needs to follow up on computer\n security issues, update procedure guides, and update the application used to calculate projected\n revenue.\n\x0c                                   The Private Debt Collection Program Was\n                                    Effectively Developed and Implemented,\n                                but Some Follow-up Actions Are Still Necessary\n\n\n\nSynopsis\nAs of September 30, 2006, the gross accounts receivable to the IRS totaled $271 billion. On\nOctober 22, 2004, the President signed the American Jobs Creation Act,1 which created a new\nInternal Revenue Code Section 6306 (2004) to permit PCAs to help collect Federal tax debts.\nOverall, the IRS has taken proactive measures to effectively develop and implement the\nProgram.\n      \xe2\x80\xa2    The IRS took appropriate steps to ensure contractor employees received sufficient and\n           adequate training on applicable laws and regulations before allowing them access to\n           Federal tax information. This included providing contractors with an orientation and\n           overview of the training required and conducting an onsite assessment of the contractor\n           training.\n      \xe2\x80\xa2    The IRS required all contractor employees assigned to the Program contract, or who have\n           access to Federal tax information, to undergo background investigations. The IRS\n           granted either interim or final approval of background investigations for each employee\n           working on the contract at the time of our review.\n      \xe2\x80\xa2    The IRS established adequate oversight through telephone call monitoring, case action\n           reviews, taxpayer satisfaction surveys, and a variety of other reviews to ensure\n           contractors adhere to contract requirements and protect taxpayer rights.\n      \xe2\x80\xa2    The IRS took appropriate and sufficient steps to ensure development and implementation\n           of the Program were effective throughout the process. The IRS met regularly with the\n           contractors to address concerns and issues, tested contractor systems for readiness and\n           accuracy, and evaluated contractor computer and physical security.\n      \xe2\x80\xa2    At the IRS\xe2\x80\x99 request, the Treasury Inspector General for Tax Administration Office of\n           Investigations participated in various implementation areas such as creating a training\n           video for the contractors, participating in onsite contractor training, and reviewing\n           various security issues.\nConcurrent to our review, the IRS performed its own tests and analyses to identify and address\nrisks and concerns. After our audit work was completed, the IRS continued to monitor the PCAs\nand, on February 14, 2007, announced the contracts for two of the PCAs had been extended\nthrough March 8, 2008. The agency decided, and the third PCA agreed, that their contract would\nnot be extended.\nWhile we identified several issues during implementation, the IRS resolved most concerns prior\nto the initial placement of cases with the contractors. Nonetheless, some issues still need to be\n\n1\n    Pub. L. No. 108-357, 118 Stat. 1418 (2004).\n                                                                                                     2\n\x0c                             The Private Debt Collection Program Was\n                              Effectively Developed and Implemented,\n                          but Some Follow-up Actions Are Still Necessary\n\n\n\naddressed. One contractor maintained Federal tax information on a computer server that was\nalso used to maintain data for four other contractor clients. Use of a shared server increases the\nrisk that Federal tax information may be inadvertently disclosed, lost, or stolen. Although use of\na single, dedicated server is not required, we believe this would strengthen security over Federal\ntax information. One contractor was using Telnet to transmit Federal tax information. This\nsignificantly increases the risk that Federal tax information may be inadvertently disclosed or\nstolen. One contractor had not loaded antivirus software on its operating system or encryption\nsoftware on its laptops. This significantly increases the risk that Federal tax information may be\ncorrupted or disclosed. At both contractors, we identified computer security concerns about the\nprotection of Federal tax information and audit trails. While the security concerns are not as\nsignificant as those noted previously, improvements could be made to better enhance computer\nsecurity. Many of the computer security issues identified, including the maintenance of data on a\nshared server, were risks identified at the location of the contractor for which the IRS did not\nextend the contract.\nWe also identified physical security concerns at both contractors that presented various\nweaknesses. By the time we had concluded our onsite reviews, the contractors were in the\nprocess of resolving some of the computer and physical security concerns. We were\nsubsequently notified by the contractors that they had resolved most of the concerns.\nSome sections in the Program guides and handbooks need to be strengthened and/or clarified. If\nprocedures are not updated, these conditions could result in untimely suspension of contractor\ncollection action, unsatisfactory customer service, and unidentified or untimely identified\ntaxpayer complaints.\nOne contractor used an initial contact script that provided its employees with a very specific set\nof questions to ask the taxpayer. Another contractor used a series of general questions and a\nchecklist of specific items for the employees to consider. The third contractor did not use an\ninitial contact script and relied upon training provided to employees to ask the appropriate\nquestions. There was no requirement for contractors to have scripts. However, we believe\ntaxpayer rights would be better protected if contractors were required to use scripts for all types\nof telephone contacts with taxpayers and provide the scripts to the IRS, which could then review\nand approve them.\nFinally, the IRS hired a contractor to develop a revenue model and used this model to calculate\nprojected revenue based on the inventory the IRS plans to place with contractors. The IRS is in\nthe process of updating this model and the revenue projection goals, and we identified three\nadditional areas that we believe management should consider during this update. The IRS\nshould consider the impact of those taxpayers who opt out of the Program; the age of the cases\nthat will be assigned to the contractors; and the actual percentage of dollars being collected,\nwhich was projected to be higher than those achieved by collection agencies used by other\nFederal Government agencies.\n\n                                                                                                  3\n\x0c                                  The Private Debt Collection Program Was\n                                   Effectively Developed and Implemented,\n                               but Some Follow-up Actions Are Still Necessary\n\n\n\nRecommendations\nWe recommended the Director, Collection, Small Business/Self-Employed Division, include in\nthe Request for Quotation2 a requirement for PCAs to maintain Federal tax information on a\nseparate server; follow up to ensure PCAs have completed their efforts to resolve the specified\ncomputer and physical security concerns; update the Contracting Officer\xe2\x80\x99s Technical\nRepresentative3 and Telephone Monitoring and Case Action Review procedures to ensure\nconsistency and completeness; include in the Request for Quotation a requirement for PCAs to\nprovide a copy of scripts for all telephone contacts with taxpayers to the IRS, which will then\nreview and approve them; and continue updating and/or modifying the revenue model to ensure\nthe IRS appropriately accounts for the impact of taxpayers who opt out of the Program, the age\nof the balance due, and the actual collection rate achieved.\n\nResponse\nThe IRS agreed with our recommendations and will address security issues in the next contract\nnegotiations and PCA security reviews, update policies to provide consistent and complete\ninstructions regarding taxpayer complaints, strengthen control of taxpayer contacts, and address\nconcerns in the revised revenue model. Management\xe2\x80\x99s complete response to the draft report is\nincluded as Appendix V.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nDaniel R. Devlin, Assistant Inspector General for Audit (Small Business and Corporate\nPrograms), at (202) 622-5894.\n\n\n\n\n2\n  A Request for Quotation is a formal solicitation to sources outside of the Federal Government for offers to provide\nproducts or services.\n3\n  Contracting Officer\xe2\x80\x99s Technical Representatives are responsible for managing the PCA contracts and ensuring\ncompliance with requirements.\n                                                                                                                    4\n\x0c                                       The Private Debt Collection Program Was\n                                        Effectively Developed and Implemented,\n                                    but Some Follow-up Actions Are Still Necessary\n\n\n\n\n                                             Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          The Internal Revenue Service Has Taken Proactive Measures\n          to Effectively Develop and Implement the Private Debt Collection\n          Program.........................................................................................................Page 3\n          Many Computer and Physical Security Concerns Have Already\n          Been Addressed ............................................................................................Page 4\n                    Recommendation 1:........................................................Page 8\n\n                    Recommendation 2:........................................................Page 9\n\n          Handbooks and Guides Were Revised to Address Most Concerns\n          Regarding Procedural Consistency and Completeness.................................Page 9\n                    Recommendation 3:........................................................Page 11\n\n          Contractors Were Not Required to Have Scripts for Employees to\n          Use When Contacting Taxpayers..................................................................Page 11\n                    Recommendation 4:........................................................Page 11\n\n          The Internal Revenue Service Should Continue Monitoring Revenue\n          Projection Goals............................................................................................Page 12\n                    Recommendation 5:........................................................Page 15\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 16\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 18\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 19\n          Appendix IV \xe2\x80\x93 Physical Security Concerns..................................................Page 20\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report .......................Page 21\n\x0c                     The Private Debt Collection Program Was\n                      Effectively Developed and Implemented,\n                  but Some Follow-up Actions Are Still Necessary\n\n\n\n\n                          Abbreviations\n\nCOTR                Contracting Officer\xe2\x80\x99s Technical Representative\nIRS                 Internal Revenue Service\nPCA; contractor     Private collection agency\n\x0c                                   The Private Debt Collection Program Was\n                                    Effectively Developed and Implemented,\n                                but Some Follow-up Actions Are Still Necessary\n\n\n\n\n                                              Background\n\nAs of September 30, 2006, the gross accounts receivable\nto the Internal Revenue Service (IRS) totaled                       One objective of the Private\n                                                                   Debt Collection program is to\n$271 billion. To help address this tax debt inventory,            use private collection agencies\nthe Department of the Treasury proposed that Congress            to help collect the $271 billion in\npass legislation authorizing the IRS to use private                  taxes owed to the Federal\ncollection agencies (hereafter referred to as PCAs or                      Government.\ncontractors) to help collect tax debts for simpler types of\ncases. The IRS refers to this effort as the Private Debt\nCollection program (Program).\nOn October 22, 2004, the President signed the American Jobs Creation Act,1 which created a\nnew Internal Revenue Code Section (\xc2\xa7) 6306 (2004) to permit PCAs to help collect Federal tax\ndebts. The law allows PCAs to locate and contact any taxpayer specified by the IRS, to request\nfrom such taxpayer full payment of the amount of Federal tax due, and to obtain financial\ninformation with respect to such taxpayer. The law allows the IRS to retain and use an amount\nnot in excess of 25 percent of the amount collected by the PCAs for the cost of services\nperformed under a contract and an amount not in excess of 25 percent of the amount collected\nfor collection enforcement activities of the IRS.\nAccording to the IRS, the three main objectives of the initiative to use contractors are to:\n      \xe2\x80\xa2    Help to significantly reduce the growing number of uncollected tax liabilities.\n      \xe2\x80\xa2    Help maintain taxpayer confidence in the fairness of the tax system by assisting the IRS\n           in addressing more of its delinquent accounts.\n      \xe2\x80\xa2    Assist the IRS in its continued focus to dedicate existing collection and enforcement\n           resources on more difficult cases and issues.\nThe legislation provides that the provisions of the Fair Debt Collection Practices Act2 shall apply\nto PCAs. The law also prohibits PCAs from committing any act or omission that IRS employees\nare prohibited from committing in the performance of similar services. The legislation created\nInternal Revenue Code \xc2\xa7 7433A (2004) to permit civil actions by taxpayers for unauthorized\ncollection actions by employees of the PCAs. The law also amended \xc2\xa7 1203 of the IRS\n\n\n\n\n1\n    Pub. L. No. 108-357, 118 Stat. 1418 (2004).\n2\n    15 U.S.C. \xc2\xa7\xc2\xa7 1601 note, 1692-1692o (2000).\n                                                                                                 Page 1\n\x0c                                  The Private Debt Collection Program Was\n                                   Effectively Developed and Implemented,\n                               but Some Follow-up Actions Are Still Necessary\n\n\n\nRestructuring and Reform Act of 19983 relating to termination of employment for misconduct to\ninclude employees of PCAs, if such individuals committed any act or omission described under\nsubsection (b).\nAccording to the IRS, contractors will be required to adhere to all taxpayer protections and will\nbe prohibited from threatening or intimidating taxpayers, or otherwise suggesting that\nenforcement action will or may be taken, if a taxpayer does not pay the liability. The contractors\nmust also adhere to all security and privacy regulations for systems, data, personnel, and physical\nsecurity, and all taxpayer rights protections.\nOn March 9, 2006, the IRS awarded contracts to 3 firms from a field of 33 for the first phase of\nthe Program. On September 7, 2006, the IRS placed an initial inventory of 11,562 balance-due\naccounts with the 3 contractors.\nThis review was performed in the IRS Small Business/Self-Employed Division in\nNew Carrollton, Maryland, and the contractor worksites of Pioneer Credit Recovery, Inc. in\nPerry, New York; Linebarger Goggan Blair & Sampson, LLP in Austin and San Antonio, Texas;\nand The CBE Group Inc. in Waterloo, Iowa, during the period April through December 2006.\nThe audit was conducted in accordance with Government Auditing Standards. Detailed\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n3\n Pub. L. No. 105-206, 112 Stat. 685 (codified as amended in scattered sections of 2 U.S.C., 5 U.S.C. app.,\n16 U.S.C. , 19 U.S.C., 22 U.S.C., 23 U.S.C., 26 U.S.C., 31 U.S.C., 38 U.S.C., and 49 U.S.C.).\n                                                                                                             Page 2\n\x0c                            The Private Debt Collection Program Was\n                             Effectively Developed and Implemented,\n                         but Some Follow-up Actions Are Still Necessary\n\n\n\n\n                               Results of Review\n\nThe Internal Revenue Service Has Taken Proactive Measures to\nEffectively Develop and Implement the Private Debt Collection\nProgram\nOverall, the IRS effectively developed and implemented several aspects of the Program before\ncases were assigned to the contractors. These include contractor employee training, background\ninvestigations, and IRS oversight of the contractors.\n   \xe2\x80\xa2   The IRS conducted an orientation and overview of the required training and other\n       contract assistance needed for all contractor employees working on the Program.\n       This event provided the contractors an opportunity to raise questions and clarify\n       requirements. As observers of the event, we believe the IRS presenters were fully\n       prepared and well versed in their subject areas. Overall, the orientation attendees\n       expressed satisfaction with the training and the instructors. The attendees were then\n       responsible for providing training sessions to their employees who were to be assigned\n       IRS cases.\n   \xe2\x80\xa2   The IRS conducted onsite assessments of the training sessions to ensure contractor\n       employees were trained on the applicable laws and regulations. Topics required to be\n       covered included the Fair Debt Collection Practices Act, IRS Restructuring and Reform\n       Act of 1998 \xc2\xa7 1203, and disclosure. The IRS reported the contractors conducted training\n       sessions from August 8 through 30, 2006. Contractor employees were required to pass\n       with a 70 percent or better rating in every examination taken. Those not passing were not\n       allowed to work IRS cases or continue with the training. The IRS documented the\n       contractors took appropriate actions to remove such employees from working on the\n       contract.\n   \xe2\x80\xa2   The IRS Personnel Security and Investigation Program office granted either interim\n       or final approval of background investigations for all the contractor employees\n       working on the contract at the time of our review. Contractors are required to submit\n       to the IRS requests for background investigations for all employees assigned to work on\n       the contract. On two separate occasions, we requested current lists of contractor\n       employees working on the contract: one prior to and one subsequent to the placement of\n       cases. We forwarded the lists to the Personnel Security and Investigation Program office\n       to determine the status of the background investigations. Upon reviewing the response,\n       we confirmed that contractor employees are not permitted to work on the private debt\n       collection contract until approval has been granted. Also, we confirmed employees\n\n                                                                                         Page 3\n\x0c                                   The Private Debt Collection Program Was\n                                    Effectively Developed and Implemented,\n                                but Some Follow-up Actions Are Still Necessary\n\n\n\n           whose approvals were denied had been appropriately and timely removed from working\n           on the contract.\n      \xe2\x80\xa2    The IRS established an adequate method to monitor the quality of work being\n           performed by the contractors. The proposed IRS oversight, designed to ensure\n           contractors adhere to contract requirements and the protection of taxpayer rights, includes\n           telephone call monitoring and case action reviews by quality analysts, taxpayer\n           satisfaction surveys, and a variety of reviews by the Contracting Officer\xe2\x80\x99s Technical\n           Representatives (COTR).4\n      \xe2\x80\xa2    The IRS ensured it and the contractors were appropriately prepared. The IRS\n           conducted regular meetings to plan and determine the status of implementation and to\n           address concerns and issues; ran tests of the contractors\xe2\x80\x99 systems to determine readiness\n           and verify accuracy; conducted computer and physical security reviews at each contractor\n           worksite; and established an independent review team to review contractor safeguards,\n           processes, and procedures and to evaluate risks.\n      \xe2\x80\xa2    The IRS engaged the Treasury Inspector General for Tax Administration Office of\n           Investigations in the process. The Office of Investigations participated in various\n           implementation areas such as creating a training video for the contractors, participating in\n           onsite contractor training, and reviewing various security issues.\nConcurrent to our review, the IRS performed its own tests and analyses to identify and address\nrisks and concerns. After our audit work was completed, the IRS continued to monitor the PCAs\nand, on February 14, 2007, announced the contracts for two of the PCAs had been extended\nthrough March 8, 2008. The agency decided, and the third PCA agreed, that their contract would\nnot be extended.\nWhile we identified several issues during implementation, the IRS resolved most concerns prior\nto the initial placement of cases with the contractors. Only a small number of issues still need to\nbe addressed.\n\nMany Computer and Physical Security Concerns Have Already Been\nAddressed\nWe conducted independent computer and physical security reviews at the worksites of two of the\nthree contractors awarded contracts to work on the IRS Program. We also participated as\nthird-party observers of the IRS review of physical security at the worksite of the third\ncontractor.\n\n\n\n4\n    COTRs are responsible for managing the PCA contracts and ensuring compliance with requirements.\n                                                                                                      Page 4\n\x0c                                  The Private Debt Collection Program Was\n                                   Effectively Developed and Implemented,\n                               but Some Follow-up Actions Are Still Necessary\n\n\n\nOverall, we believe the contractors implemented a strong system of computer and physical\nsecurity controls. However, we identified the following concerns that presented a risk to\nsecurity. Except where noted, the concerns relate to only one particular contractor. Our onsite\nreviews were conducted prior to the placement of cases with the contractors; therefore, the\ncontractors had not yet received Federal tax information.\n\nMaintaining data on a shared server increases the risk of disclosure, loss, and\ntheft of Federal tax information\nOne of the contractors we reviewed used a separate, dedicated server5 to maintain Federal tax\ninformation. The other contractor we reviewed maintained Federal tax information on a server\nthat was also used to store data for four other contractor clients. Using a shared server increases\nthe risk that Federal tax information may be inadvertently disclosed, lost, or stolen. Contractors\nare required to ensure all account data are, at a minimum, partitioned off from other data\nmaintained on their computer systems. While a single, dedicated server for Federal tax\ninformation is not required, we believe Federal tax information should be maintained on a\nseparate server to adequately protect against unauthorized disclosure while on a contractor\xe2\x80\x99s\ncomputer system. Subsequent to our onsite review, the IRS informed us it verified the contractor\nhad properly partitioned account data on its system.\nThe contractor that used the shared server used Telnet and Secure Shell to transmit Federal tax\ninformation. We have security concerns about the contractor\xe2\x80\x99s decision to use Telnet. This\ncompounds our concern over the use of a shared server. Telnet is a network protocol used on the\nInternet or local area network connections. It is considered unsecure due to various security\nvulnerabilities. Secure Shell is a set of standards and an associated network protocol that allows\nusers to establish a secure channel between a local and a remote computer. Secure Shell, which\nprovides greater security, was designed to replace Telnet.\nThere are three main reasons why Telnet is not recommended for modern systems from the point\nof view of computer security:\n    \xe2\x80\xa2    Commonly used Telnet daemons6 have several vulnerabilities discovered over the years,\n         and several more probably still exist.\n    \xe2\x80\xa2    Telnet lacks an authentication scheme7 that would make it possible to ensure\n         communication is carried out between the two desired hosts and not intercepted in the\n         middle.\n\n\n\n5\n  A server is a computer on a network (a group of two or more computers) that manages network resources.\n6\n  A daemon is a computer program that runs in the background, rather than under the direct control of the user.\n7\n  An authentication scheme is a method of verifying the sender and/or receiver (host) of a data transmission, to\nensure the data have not been intercepted or altered.\n                                                                                                              Page 5\n\x0c                                  The Private Debt Collection Program Was\n                                   Effectively Developed and Implemented,\n                               but Some Follow-up Actions Are Still Necessary\n\n\n\n    \xe2\x80\xa2    Telnet, by default, does not encrypt8 data sent over the connection, thereby allowing\n         intercepted data to be easily read and later used for malicious purposes.\nContractor management informed us they use Telnet because their other clients who share the\nserver with the IRS need Telnet to run their applications. However, using Telnet to transmit data\nsignificantly increases the risk that Federal tax information may be inadvertently disclosed or\nstolen. We were later informed by contractor management that they had resolved this issue by\ndeveloping the procedure to implement Secure Shell prior to the activation of Telnet when\ntransmitting data. Although Secure Shell was not designed to be used in conjunction with\nTelnet, we believe this technique is sufficient to address our concern. However, the contractor\ndid not indicate whether it uses this technique when transmitting data to its other clients.\nBecause we had not considered this procedure during our onsite review of computer security, we\ncannot report on the risks associated with the contractor transmitting data to its other clients\nusing a different technique.\n\nAntivirus and encryption software are needed to provide an additional layer of\nsecurity\nWe noted, as did a contractor hired by the IRS to review computer security, that one PCA had\nnot loaded antivirus software on its operating system. We also noted the same PCA had not\nloaded encryption software on the laptops of 16 individuals authorized to enter the worksite. At\nthe time of our review, the PCA had been unable to locate antivirus software compatible with its\noperating system. Also, although PCA management\xe2\x80\x99s anticipated completion date for laptop\nencryption was subsequent to our onsite review, the IRS indicated the PCA agreed not to allow\nthe laptops to be removed from the worksite until after the software had been loaded.\nContractors are required to ensure all Federal tax information is protected from unauthorized\ndisclosure while on their computer systems and to protect and maintain the integrity of their\nsystems. Contractors should employ virus protection mechanisms at essential information\nsystem entry and exit points (e.g., firewalls, routers, remote-access servers) and at workstations\nor servers on the network. Contractors should update virus protection mechanisms (including the\nlatest virus definitions) when new releases are available.\nAntivirus software is an additional layer of security needed to protect an operating system from\nviruses and worms. Encryption software would protect data from unauthorized disclosure in\ncase a laptop is lost or stolen. When antivirus and encryption software are not installed, the risk\nthat Federal tax information may be corrupted or disclosed increases significantly.\nWe were later informed by PCA management that they had loaded encryption software on their\nlaptops. Also, although they stated they had not obtained antivirus software for their operating\n\n\n8\n  Encryption is the process of converting data into a secret code. To read an encrypted file, a user must have access\nto a password that enables him or her to decrypt the data.\n                                                                                                              Page 6\n\x0c                                  The Private Debt Collection Program Was\n                                   Effectively Developed and Implemented,\n                               but Some Follow-up Actions Are Still Necessary\n\n\n\nsystem, they indicated the issue was addressed with the IRS by implementing other security\nmeasures within the Windows environment and by physically and logically locking the system\ndown to prevent the loading of any software onto the system.\n\nContractors enhanced computer security by addressing various concerns\nWe identified the following concerns related to the protection of Federal tax information and\naudit trails. Each concern listed below is specific to either one or the other of the contractors we\nreviewed. While we do not consider these concerns to be as significant as the issues identified\nabove, improvements could be made to enhance computer security.\n     1. An unnecessary service on the router had not been disabled.\n     2. There is no method in place for tracking system issues.\n     3. Two risks identified by a contractor hired by the IRS to review computer security have\n        not been properly addressed by the PCA.\n     4. Audit logs have not been properly protected.\n     5. Access control lists have not been applied to the CISCO9 switch.10\n     6. Backup tapes are not marked as Federal tax information and stored separately.\n     7. The contractor has not completed development of a policy to address the IRS\xe2\x80\x99 concern\n        regarding contractor managers having access to email.\n     8. User accounts are not disabled timely.\nThese concerns could permit inappropriate access to the system, inappropriate user capabilities,\nand unauthorized disclosure. Although we believe these issues need to be addressed, we did not\nconsider them significant enough risks to prevent the assignment of cases to the contractors.\nContractors are required to implement system security controls, safeguards, and mechanisms at\nall levels of the system and application layers. Settings of information technology products must\nbe configured to the most restrictive mode consistent with information system operational\nrequirements. Also, the information system must be configured to provide only essential\ncapabilities and specifically prohibit and/or restrict the use of unnecessary functions, ports,11\nprotocols,12 or services. Access to Federal tax information is to be restricted to only those\npersons whose duties or responsibilities require access; thus, information shall be clearly labeled\n\xe2\x80\x9cFederal tax data.\xe2\x80\x9d Additionally, to avoid inadvertent disclosures, Federal tax information shall\nbe kept separate from other information.\n\n\n\n9\n  CISCO is a leading manufacturer of network equipment.\n10\n   A switch is a device that filters and forwards data files between computers within a network.\n11\n   A port is an access point into and out of a computer. The ports on a computer or server are used to connect to\ncommunications lines and modems.\n12\n   A protocol is a convention or standard that controls or enables the connection, communication, and data transfer\nbetween two computing endpoints.\n                                                                                                             Page 7\n\x0c                                  The Private Debt Collection Program Was\n                                   Effectively Developed and Implemented,\n                               but Some Follow-up Actions Are Still Necessary\n\n\n\nWhile management of each contractor was in the process of addressing some of the concerns\nlisted previously, the remaining concerns were not considered or were simply overlooked. By\nthe time we concluded our onsite reviews, contractor management was in the process of\naddressing concerns 2, 4, 5, and 6. We were later informed by management of each contractor\nthat they had resolved all of their respective issues. Many of the computer security issues\ndiscussed above, including the maintenance of data on the shared server, were risks identified at\nthe location of the PCA for which the IRS did not extend the contract.\n\nContractors promptly resolved physical security concerns\nThe contractors implemented numerous physical security controls. Examples include requiring\nemployees to wear photo identification badges, controlling entry through key cards, securing the\nwork area with an alarm system, positioning video cameras at entrances, installing slab-to-slab\nperimeter walls, and requiring visitors to obtain authorization prior to entering the work area.\nAlthough several strong controls were in place, we identified a number of concerns at each\ncontractor worksite that we believe weakened physical security. Appendix IV includes a list of\nthe specific concerns.\nIn developing and implementing physical security controls, contractor management simply\noverlooked these particular factors while focusing on other security measures. However,\ncontractor management immediately addressed our physical security concerns as we identified\nthem. By the time we had concluded our onsite reviews and briefed IRS management on our\nresults, all but one of the concerns had been addressed. Because contractor management\nbelieved differentiating identification badges posed a security risk for their employees, they\ndeferred the issue to the IRS for its consideration and agreed to implement any changes the IRS\ndeemed necessary. Differentiating identification badges is not a requirement. However, due to\nthe existence of a secondary, unmonitored entrance, we believe implementing this action would\nstrengthen access controls. We were later informed by management of the respective contractor\nthat they had resolved this issue.\n\nRecommendations\nThe Director, Collection, Small Business/Self-Employed Division, should:\nRecommendation 1: Include in the Request for Quotation13 a requirement for PCAs to\nmaintain Federal tax information on a separate, dedicated server when the IRS expands the\nProgram to include additional contractors.\n         Management\xe2\x80\x99s Response: The IRS agreed with the recommendation. The Director,\n         Collection, Small Business/Self-Employed Division, will include in the next Request for\n\n13\n  A Request for Quotation is a formal solicitation to sources outside of the Federal Government for offers to provide\nproducts or services.\n                                                                                                            Page 8\n\x0c                                  The Private Debt Collection Program Was\n                                   Effectively Developed and Implemented,\n                               but Some Follow-up Actions Are Still Necessary\n\n\n\n         Quotation, a requirement for PCAs to maintain Federal tax information on a separate,\n         dedicated server.\nRecommendation 2: Follow up to ensure the contractors have completed their efforts to\nresolve computer and physical security concerns including implementing Secure Shell prior to\nthe activation of Telnet when transmitting data, loading encryption software onto laptops,\ndisabling the unnecessary service on the router, tracking system issues, protecting audit logs,\napplying access control lists, labeling backup tapes as Federal tax information and storing them\nseparately, developing an email policy, timely disabling user accounts, and using differentiated\nidentification badges.\n         Management\xe2\x80\x99s Response: The IRS agreed with the recommendation. The Director,\n         Collection, Small Business/Self-Employed Division, will follow-up with the PCAs to\n         ensure all computer and physical security issues listed in the recommendation have been\n         resolved.\n\nHandbooks and Guides Were Revised to Address Most Concerns\nRegarding Procedural Consistency and Completeness\nThe IRS developed several handbooks and guides for the Program. These documents provide\nthe procedures necessary to carry out the requirements of the Program contract. In reviewing the\nprocedures, we noted the following areas that needed to be strengthened and/or clarified.\n\nSecurity procedures for handling taxpayer complaints could be strengthened\nTaxpayer complaints regarding a contractor may be received either verbally or in writing from a\ntaxpayer or third party, self identified by a contractor, or identified by an IRS employee.\nIn evaluating draft procedures to determine whether the IRS had developed effective steps to\nhandle taxpayer complaints, we identified some noncritical areas that needed to be addressed by\nmanagement. The IRS was still in the process of perfecting the procedures at the time we\nreviewed them.\n     \xe2\x80\xa2   Despite Referral Unit14 procedures to inform taxpayers that someone from the IRS will\n         contact them regarding complaints, the COTR procedures identify only one occasion\n         when taxpayers will be contacted. The COTR will respond to taxpayers if a written\n         complaint is received for a Type One15 complaint. However, there were no procedures\n\n\n14\n   The IRS Referral Unit is responsible for assigning cases to contractors; maintaining cases; recalling cases;\nresponding to inquiries from taxpayers, contractors, and IRS staff; and handling taxpayer complaints.\n15\n   Complaints are assigned a type code, based on the severity of the allegation(s). Rude behavior would be a\nType One complaint, intimidation would be a Type Two complaint, and a violation of the Fair Debt Collection\nPractices Act would be a Type Three complaint.\n                                                                                                             Page 9\n\x0c                                 The Private Debt Collection Program Was\n                                  Effectively Developed and Implemented,\n                              but Some Follow-up Actions Are Still Necessary\n\n\n\n         for contacting taxpayers when verbal complaints are received or when written Type Two\n         or Type Three taxpayer complaints are received.\n     \xe2\x80\xa2   The COTR procedures did not identify a time period for forwarding taxpayer complaints\n         to the contractors.\n     \xe2\x80\xa2   Procedures for the Telephone Monitoring and Case Action Reviews conducted by the\n         IRS did not provide specific steps for reviewers to identify and report taxpayer\n         complaints. Also, if a reviewer identifies an error or problem, which would include a\n         taxpayer complaint, the procedures directing the reviewer to forward issues to the COTR\n         once a week were not consistent with other procedures to forward complaints to the\n         COTR either immediately or within 24 hours of receipt.\nThe Government Accountability Office Standards for Internal Control in the Federal\nGovernment require significant events to be clearly documented. At the time we conducted our\nreview, IRS management was already in the process of revising procedures for the Telephone\nMonitoring and Case Action Reviews to include steps for reviewers to identify and handle\ntaxpayer complaints. However, procedures still do not direct reviewers to immediately forward\ntaxpayer complaints to the COTR. Also, recently revised COTR procedures do not address the\nissues noted above. If procedures are not updated, these conditions could result in untimely\nsuspension of contractor collection action, unsatisfactory customer service, and unidentified or\nuntimely identified taxpayer complaints.\n\nThe IRS clarified contractor procedures for suspending collection\nThe draft PCA Policy and Procedures Guide did not provide procedures to suspend contractor\ncollection action when the following conditions occur:\n     \xe2\x80\xa2   During Referral Unit review of installment agreement16 requests within the contractor\xe2\x80\x99s\n         authority.\n     \xe2\x80\xa2   When a taxpayer appeals a rejected installment agreement.\n     \xe2\x80\xa2   When a contractor receives a verbal threat(s) from a taxpayer.\n     \xe2\x80\xa2   Upon receipt of a taxpayer lawsuit referencing an account assigned to a contractor.\nThese conditions are identified as events warranting suspension of PCA collection action in\nvarious other IRS Program procedure guides. Without clarification of procedures, contractors\nmay not suspend collection action timely on accounts with these conditions. However, after we\npresented this information to IRS management, the PCA Policy and Procedures Guide was\nrevised to resolve all four issues.\n\n\n\n\n16\n  An installment agreement allows taxpayers to pay tax liabilities by making regular payments to the IRS over time\nrather than all at once.\n                                                                                                         Page 10\n\x0c                              The Private Debt Collection Program Was\n                               Effectively Developed and Implemented,\n                           but Some Follow-up Actions Are Still Necessary\n\n\n\nRecommendation\nRecommendation 3: The Director, Collection, Small Business/Self-Employed Division,\nshould update the COTR procedures to identify a time period for forwarding taxpayer complaints\nto the PCAs and for contacting taxpayers regarding verbal taxpayer complaints and written\nType Two and Type Three taxpayer complaints. Also, the Telephone Monitoring and Case\nAction Review procedures should be updated to direct analysts to immediately forward taxpayer\ncomplaints to the COTR.\n       Management\xe2\x80\x99s Response: The IRS agreed with the recommendation. The Director,\n       Collection, Small Business/Self-Employed Division, will update the COTR and Quality\n       Assurance Handbooks to incorporate instructions for responding to taxpayer complaints\n       to address the issues identified in the recommendation.\n\nContractors Were Not Required to Have Scripts for Employees to Use\nWhen Contacting Taxpayers\nThe Request for Quotation did not require the contractors to have a script to direct employees\nthrough telephone conversations with taxpayers. However, if the contractor used an initial\ncontact script, the IRS reviewed and approved the questions and procedures. One contractor\nused an initial contact script that provided its employees with a very specific set of questions to\nask the taxpayer. Another contractor used a series of general questions and a checklist of\nspecific items for the employees to consider. The third contractor did not use an initial contact\nscript and relied upon training provided to employees to ask the appropriate questions.\nThe IRS reviewed the initial contact scripts for the two contractors and asked one of the\ncontractors to change the script and it was appropriately changed. We reviewed the changed\nscripts and determined the questions were appropriate and none of the questions violated\ntaxpayers\xe2\x80\x99 rights. However, we believe taxpayer rights would be better protected if the Request\nfor Quotation required the contractors to use a script for all types of telephone contacts and\nprovide them to the IRS, which could then review and approve the scripts for every contractor.\nThis would also result in consistent approaches that the contractors take in contacting taxpayers\nand better allow the IRS to perform a more consistent quality review, including the monitoring of\ntelephone calls. The IRS plans to expand the Program and issue a new Request for Quotation in\nMay 2007 soliciting more contractors.\n\nRecommendation\nRecommendation 4: The Director, Collection, Small Business/Self-Employed Division,\nshould include in the Request for Quotation a requirement for PCAs to provide a copy of scripts\nfor all telephone contacts with taxpayers to the IRS, which will then review and approve them.\n\n\n                                                                                             Page 11\n\x0c                                   The Private Debt Collection Program Was\n                                    Effectively Developed and Implemented,\n                                but Some Follow-up Actions Are Still Necessary\n\n\n\n         Management\xe2\x80\x99s Response: The IRS agreed with the recommendation. The Director,\n         Collection, Small Business/Self-Employed Division, will include in the next Request for\n         Quotation a requirement for PCAs to provide a copy of scripts for all telephone contacts\n         with taxpayers to the IRS for review and approval.\n\nThe Internal Revenue Service Should Continue Monitoring Revenue\nProjection Goals\nThe Department of the Treasury budget process requires annual revenue estimates for tax\nproposals.17 A revenue estimate serves as a benchmark for measuring the effects of tax law\nchanges and is generally over a 10-year period. In July 2004, the Department of the Treasury\ncalculated a $1.4 billion estimate in revenue over the next 10 years (Fiscal Years 2006-2015) for\nthe tax proposal that permits contractors to help collect Federal tax debts.\nThe IRS hired a contractor to develop a revenue model and used this model to calculate projected\nrevenue based on the inventory the IRS plans to place with contractors. The IRS continuously\ncompared its inventory plans and revenue estimates to the Department of the Treasury estimates\nthrough February 2006. The IRS revenue model estimates many factors, including:\n     \xe2\x80\xa2   Standard Collection Curve \xe2\x80\x93 The model applies a standard collection industry curve for\n         each case placement over a 12-month period to determine the number of cases on which\n         some or all tax due was collected.\n     \xe2\x80\xa2   Referrals for Enforcement \xe2\x80\x93 Estimated number of cases returned to the IRS for\n         enforcement action.\n     \xe2\x80\xa2   Unresolved Service Accounts (Recalls) \xe2\x80\x93 Estimated number of cases returned to the IRS\n         due to other reasons (e.g., hardship,18 innocent spouse19).\n     \xe2\x80\xa2   Administrative Resolutions \xe2\x80\x93 Estimated number of cases returned to the IRS due to death\n         or bankruptcy of the taxpayer.\n     \xe2\x80\xa2   Initial Ramp Up \xe2\x80\x93 The model shows a gradual increase in the assigned collection rate20 to\n         allow the IRS and contractors to reach optimum performance and productivity.\nWe evaluated the revenue model to determine whether the IRS\xe2\x80\x99 plans based on the model were\nsufficient to achieve the goals set by the Department of the Treasury. The IRS is in the process\nof updating the model and the revenue projection goals. To ensure revenue estimates are\naccurate, we believe management should consider the following three issues when updating the\nrevenue projection goals.\n\n17\n   A tax proposal is a bill considering a change or modification to a provision of the Internal Revenue Code.\n18\n   A hardship means the taxpayer currently has no ability to pay the taxes.\n19\n   An innocent spouse is a taxpayer that can be relieved of responsibility for paying tax, interest, and penalties if his\nor her spouse (or former spouse) improperly stated or underpaid the tax.\n20\n   The collection rate represents the percentage of dollars collected in comparison to the total balance due of the\ncases placed with the contractors.\n                                                                                                                Page 12\n\x0c                                The Private Debt Collection Program Was\n                                 Effectively Developed and Implemented,\n                             but Some Follow-up Actions Are Still Necessary\n\n\n\nRevenue projection does not account for the impact of taxpayers who opt out of\nthe Program\nThe IRS will be sending letters notifying taxpayers that their accounts have been assigned to a\ncontractor. Included with these letters is What You Can Expect When the IRS Assigns Your\nAccount to a Private Collection Agency (Publication 4518), which informs taxpayers they may\nsubmit a written request to opt out of the Program if they do not wish to work with a PCA.\nThe revenue model does not include a factor to estimate the number of taxpayers who will elect\nto opt out of the Program. The IRS indicated the ability for taxpayers to opt out is a unique\nfactor that has never been accounted for by either Federal Government agencies or private\nindustry. Therefore, there are no historical data on which to base an estimate to include in the\nmodel.\nUntil the cases are assigned, the impact of taxpayers who elect to opt out of the Program cannot\nbe predicted. Therefore, as the IRS expands into assigning other types of cases to contractors,\nthe impact of taxpayers who opt out of the Program should be reexamined. While few taxpayers\nhave initially opted out, the number may increase as accounts assigned to contractors become\nmore complex.\n\nCriterion has been adjusted to include older cases in the contractor inventory\nThe IRS has been continuously monitoring inventory levels for initial implementation of the\nProgram. The contractor provided the IRS with an interactive revenue model used for\nlong-range planning. The revenue model allows the IRS to change the inventory selection\ncriteria and determine the impact to projected revenue. The IRS reexamined inventory options\nand changed case criteria to maximize revenue projections and make sure it has enough\ninventory available to meet the capacity of the contractors. One change to the contractor\ninventory involved increasing the age a case has been in an IRS collection status. The initial\nProgram criterion called for cases that had been in collection status for less than 1 year; however,\nthe age in status was increased to 2 years and then to 3 years.\nThe amount of time a case is in an IRS collection status is not the true age of the account\nliability; it is the length of time the account has been assigned to that particular collection status.\nWe previously reported21 that, when the criterion for age in collection status was less than 1 year,\n72 percent of the cases available for placement in the Program were more than 2 years old. Now\nthat the length of time in collection status has been increased, the cases being assigned are\nprobably even older. We reported that older debts are frequently more difficult to collect; thus\nthe change in case age criterion may limit the IRS\xe2\x80\x99 ability to reach the Department of the\nTreasury\xe2\x80\x99s revenue goals for the Program. Management agreed the cases being assigned to the\n\n\n21\n   Management Needs to Continue Monitoring Some Case Selection Issues As the Private Debt Collection Program\nIs Implemented (Reference Number 2006-30-064, dated April 2006).\n                                                                                                    Page 13\n\x0c                                 The Private Debt Collection Program Was\n                                  Effectively Developed and Implemented,\n                              but Some Follow-up Actions Are Still Necessary\n\n\n\ncontractors may be older but stated the contractors are willing to work the cases being assigned\nwhile the IRS does not have the resources to work them.\n\nThe collection rate used by the IRS is higher than the industry standard\nDuring the research phase of the Program, the IRS visited some Federal and State Government\nagencies that have used contractors, to assess their best practices for tax collection. The Federal\nGovernment agencies visited were the Department of the Treasury Financial Management\nService and the Department of Education; the State agencies included some in New Jersey,\nMichigan, Georgia, Maryland, and Virginia. During the visits, the IRS obtained data from the\nDepartment of Education and the Financial Management Service on their collection rates with\ncontractors; these data reflect an average collection rate of less than 3 percent. The IRS did not\nrequest collection rate figures from the State agencies. However, the State of California has\nannounced it has referred more than $2 billion to private debt collection companies over the past\n17 years, and $50 million (less than 3 percent) was actually recovered.22 Our research of the\nDepartment of Education and Financial Management Service confirmed the collection rate of\n3 percent.23\nThe IRS discussed the potential inventory selected for assignment with subject-matter experts to\ndetermine the estimated collection rates used in its revenue model. The revenue model starts\nwith a lower collection rate and gradually increases it to a range of 10 percent to 15 percent of\nthe contractor inventory. This \xe2\x80\x9cramp-up\xe2\x80\x9d factor, as previously stated, allows the IRS and\ncontractors time to reach optimum performance and productivity. As of December 31, 2006, the\ncontractors had collected $11.4 million of the $105 million in liabilities placed with them by the\nIRS. This represents a collection rate of 10.5 percent. Based on the ramp-up factor, this rate\nshould continue to increase.\nOther Federal and State Government agencies work balance-due cases for approximately\n180 calendar days before turning them over to contractors; however, the IRS is being very\nselective in the cases it assigns to contractors. For the initial phase, the cases placed are\nindividual taxpayers who have filed a tax return with a balance due.\nConsidering these factors, the IRS contractor collection rate should be higher than that achieved\nby other Federal and State Government agencies. Management plans to adjust the collection rate\nonce the cases are worked by the contractors and data are available to determine a true collection\nrate for types of cases. The IRS recognizes it will need to continuously monitor the collection\nrate as it expands the types of cases assigned to contractors to work.\n\n\n\n\n22\n  The Tax Man and the Debt Collector Team Up (MSN Money, September 2005).\n23\n  Department of Education data relate to contractor performance from contract inception through June 2002.\nFinancial Management Service data relate to contractor referrals and collections as of April 2003.\n                                                                                                        Page 14\n\x0c                            The Private Debt Collection Program Was\n                             Effectively Developed and Implemented,\n                         but Some Follow-up Actions Are Still Necessary\n\n\n\nRecommendation\nRecommendation 5: As data become available, the Director, Collection, Small\nBusiness/Self-Employed Division, should continue updating and/or modifying the revenue\nmodel to ensure the IRS appropriately accounts for the impact of taxpayers who opt out of the\nProgram, the age of the balance due, and the actual collection rate achieved.\n       Management\xe2\x80\x99s Response: The IRS agreed with the recommendation. The Director,\n       Collection, Small Business/Self-Employed Division, will begin a review of the revenue\n       model in July 2007 and either construct a new revenue model or update the existing\n       model based on actual performance. The updated or revised model will be available in\n       November 2007.\n\n\n\n\n                                                                                        Page 15\n\x0c                             The Private Debt Collection Program Was\n                              Effectively Developed and Implemented,\n                          but Some Follow-up Actions Are Still Necessary\n\n\n\n                                                                                   Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to evaluate the effectiveness of the IRS\xe2\x80\x99 implementation\nof the Private Debt Collection program (Program). To accomplish this objective, we:\nI.     Evaluated the revenue projection goals and determined if the IRS\xe2\x80\x99 plan was sufficient to\n       achieve the goals.\nII.    Identified the methods established to transmit Federal tax information and evaluated the\n       procedures used to transmit data between the IRS and the contractors.\nIII.   Evaluated controls established to ensure taxpayer rights are protected.\n       A. Determined if and how contractor employees were trained on the applicable laws and\n          regulations and if the contractors certified in writing that the required training had\n          been provided.\n       B. Obtained and evaluated the Quality Assurance program established to monitor\n          contractor activities to ensure there are no violations.\n       C. Determined if the IRS developed an effective program to handle taxpayer complaints.\n       D. Identified situations in which contractors are required to stop collection action and\n          determined if procedures were in place.\nIV.    Evaluated the proposed physical and data security controls over Federal tax information.\n       A. Determined if a background investigation had been conducted on all contractor\n          personnel working on the contract and if any employee who failed the background\n          investigation had been barred from working on the contract with the IRS.\n       B. Made physical visits to each of the three contractor worksites. At two of the\n          worksites, we evaluated the adequacy of the physical security to be provided over\n          Federal tax information. At the third worksite, we sat in as third-party observers\n          while the IRS evaluated the adequacy of the physical security.\n       C. Determined if the contractors implemented effective physical security safeguards to\n          ensure protection of the information technology system. We determined if the\n          computer systems processing, storing, and transmitting Federal tax information met\n          or exceeded controlled access protection audit trails, identification/authentication\n          controls, and access controls.\n\n\n\n                                                                                          Page 16\n\x0c                          The Private Debt Collection Program Was\n                           Effectively Developed and Implemented,\n                       but Some Follow-up Actions Are Still Necessary\n\n\n\n     D. Analyzed the IRS\xe2\x80\x99 plan to review the physical and data security at the contractors\xe2\x80\x99\n        worksites.\nV.   Determined the method the IRS developed to monitor the quality of work being\n     performed by the contractors and evaluated the adequacy of the proposed IRS oversight\n     over the Program.\n\n\n\n\n                                                                                      Page 17\n\x0c                            The Private Debt Collection Program Was\n                             Effectively Developed and Implemented,\n                         but Some Follow-up Actions Are Still Necessary\n\n\n\n                                                                               Appendix II\n\n                 Major Contributors to This Report\n\nDaniel R. Devlin, Assistant Inspector General for Audit (Small Business and Corporate\nPrograms)\nParker F. Pearson, Director\nAmy L. Coleman, Audit Manager\nTodd M. Anderson, Lead Auditor\nChristina M. Dreyer, Senior Auditor\nMichelle Griffin, Senior Auditor\nDenise M. Gladson, Auditor\n\n\n\n\n                                                                                        Page 18\n\x0c                           The Private Debt Collection Program Was\n                            Effectively Developed and Implemented,\n                        but Some Follow-up Actions Are Still Necessary\n\n\n\n                                                                           Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Services and Enforcement SE\nDeputy Commissioner, Small Business/Self-Employed Division SE:S\nDirector, Collection, Small Business/Self-Employed Division SE:S:C\nProject Director, Filing and Payment Compliance Modernization, Small Business/Self-Employed\nDivision SE:S:C:FPCMO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Commissioner, Small Business/Self-Employed Division SE:S\n\n\n\n\n                                                                                   Page 19\n\x0c                             The Private Debt Collection Program Was\n                              Effectively Developed and Implemented,\n                          but Some Follow-up Actions Are Still Necessary\n\n\n\n                                                                                 Appendix IV\n\n                       Physical Security Concerns\n\nPrior to placement of cases with the contractors, we identified the following physical security\nconcerns during our onsite reviews of contractor worksites. Except where noted, each concern is\nspecific to one contractor. Management of each contractor immediately addressed our physical\nsecurity concerns as we identified them.\n   1.  Perimeter doors did not have adequate locking mechanisms.\n   2.  Two rooms were not wired to the alarm system.\n   3.  The main entrance to the IRS work area was not monitored by a receptionist.\n   4.  Identification badges of employees working on the contract were not differentiated from\n       identification badges of unauthorized employees that work across the hall.\n   5. At both contractor worksites, the visitor log was not reviewed to determine each visitor\xe2\x80\x99s\n       need for access.\n   6. Six employees had keys to the IRS work area; one did not have a need for access to\n       Federal tax information.\n   7. On a couple of occasions, private mail service companies inappropriately delivered IRS\n       contract-related mail to the contractor\xe2\x80\x99s headquarters office located in the building next\n       door.\n   8. Employees were permitted to use their desk telephones for personal calls.\n   9. Vendors were provided escorted access to the collection room.\n   10. There were plans to provide one employee with control over both the unassigned key\n       cards and the system that controls the access levels of the key cards.\n   11. One employee was responsible for control over misdirected remittances.\n   12. Procedures for handling significant conditions or situations that affect business operations\n       had not been updated for computer security and had not been developed for physical\n       security.\nConcerns 1-6 represent a weakness in restricting access. Concerns 6-9 represent a weakness in\npreventing unauthorized disclosure. Concerns 10 and 11 represent a weakness in providing a\nseparation of duties. Concern 12 represents a weakness in handling security breakdowns.\nContractors are required to provide secured collection office facilities and equipment to perform\ntasks under the private debt collection contract. The specified area shall be restricted to\nauthorized IRS and contractor employees, and the area shall be physically separated from other\nactivity with walls and secured access per IRS security requirements. The facility must have a\nlocked and alarmed perimeter. Additionally, access to the space must provide an audit trail such\nas a sign-in log, card reader, or computerized mechanical lock.\n\n\n                                                                                          Page 20\n\x0c           The Private Debt Collection Program Was\n            Effectively Developed and Implemented,\n        but Some Follow-up Actions Are Still Necessary\n\n\n\n                                                  Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                         Page 21\n\x0c   The Private Debt Collection Program Was\n    Effectively Developed and Implemented,\nbut Some Follow-up Actions Are Still Necessary\n\n\n\n\n                                                 Page 22\n\x0c   The Private Debt Collection Program Was\n    Effectively Developed and Implemented,\nbut Some Follow-up Actions Are Still Necessary\n\n\n\n\n                                                 Page 23\n\x0c   The Private Debt Collection Program Was\n    Effectively Developed and Implemented,\nbut Some Follow-up Actions Are Still Necessary\n\n\n\n\n                                                 Page 24\n\x0c   The Private Debt Collection Program Was\n    Effectively Developed and Implemented,\nbut Some Follow-up Actions Are Still Necessary\n\n\n\n\n                                                 Page 25\n\x0c'